New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FR: Automatically authorize Addon routes #1285

Closed
Rias500 opened this Issue Mar 1, 2017 · 1 comment

Comments

Projects
None yet
4 participants
@Rias500

Rias500 commented Mar 1, 2017

Expected behaviour

Routes created by an add-on for the CP should automatically be guarded for the cp:access permission.

Actual behaviour

They are not and shows an error page, not the "you don't have access to this page"

@rrelmy

This comment has been minimized.

rrelmy commented Mar 1, 2017

The problematic part is that the code inside the method is executed, but the views can not be rendered.


I had a conversation with the gentlemen's on this some time ago.

Here an answer from Jack

Controllers don't have security baked in on their own, as they can be used on the front-end as well. We should add a new page in the docs on how to best treat it, but there are a number of methods, like Auth::check() and Auth::user()->can() and so on. If I knew em off the top of my head i would spell it all out right here, but we'll get back to ya :)

The needed usage of $this->authorize('cp:access') should be at least documented at https://docs.statamic.com/addons/classes/controllers
or even better be already in the skeleton code.


Would it be possible to protected the backend methods but not the prefixed (getFoo, postBar)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment